is my site really a threat? expert opinion please

35 views
Skip to first unread message

truffula

unread,
Nov 18, 2008, 2:27:11 PM11/18/08
to stopbadware
Greetings,

my site is basically a news portal and contains links to external news
sources.

in order to track which stories get the most clicks, i use a
dynamically generated javascript redirect that uses a get variable in
the address that contains the url of the external site. this variable
is parsed to make sure that it is a valid url and not malicious code.
in this way when someone clicks on a link, the page is generated and a
google analytics cookie is logged which enables me to where people are
going when they leave the site.

a couple of weeks ago i saw an unprecedented leap in my pageviews and
on further investigation found that someone was inserting the urls of
pornsites into the the location bar of their browser (or equivalent)
and causing my redirect page to act as an intemediary stage in their
web journey to porn. at first i thought it might be someone trying to
view porn at work, but when the pageviews hit 6000, i realised this
was unlikely. nevertheless i changed the code to weed out the porn
search terms that were cropping up in the urls

recently my site was flagged as containing links to malware, yet there
is no trace of any of the malware sites mentioned in the badware
report in any of the links on my site.

can anyone explain how my site poses a threat to someone visiting it -
as far as i can see, the only threat is to those altering the url
variable in their location bar...

am i missing something?

ps - i have also implemented code to strip out the hosts that have
been mentioned in the badware report

thanks

UseShots

unread,
Nov 18, 2008, 4:04:05 PM11/18/08
to stopbadware
Hi,

Just a guess. They could use your site's redirect function to point
people to malicious pages. The could insert malicious scripts and
iframes into third party web sites that specifying your web pages as
source. And then your web sites would actually redirect the browser to
another site with malicious code.

Do you remember the target urls? Do you recognize then here
http://www.google.com/safebrowsing/diagnostic?site=climatechangenews.org
?

I don't know how Google's automated scanners treat such redirects.

Maybe Googlers can clarify the issue.

Denis
http://www.UnmaskParasites.com

Oliver Fisher

unread,
Nov 18, 2008, 4:23:10 PM11/18/08
to stopbadware
Yes, that's exactly what the scanners are flagging. If you log into
Google's Webmaster Tools, you'll see that all the sample malicious
urls are going through your open redirector.

Hope that helps,
O.
Google Anti-Malware Team.

On Nov 18, 4:04 pm, UseShots <goo...@useshots.com> wrote:
> Hi,
>
> Just a guess. They could use your site's redirect function to point
> people to malicious pages. The could insert malicious scripts and
> iframes into third party web sites that specifying your web pages as
> source. And then your web sites would actually redirect the browser to
> another site with malicious code.
>
> Do you remember the target urls? Do you recognize then herehttp://www.google.com/safebrowsing/diagnostic?site=climatechangenews.org

truffula

unread,
Nov 18, 2008, 8:19:44 PM11/18/08
to stopbadware
aha that explains it - i'll get rid of those open redirect pages
straightaway and see if i can figure out a more secure way of doing
things

thanks!

UseShots

unread,
Nov 19, 2008, 7:47:04 AM11/19/08
to stopbadware
You might want to add some hash parameter, and then match the hash of
the URL with the passed hash. Make sure to add some "salt" when
generating hashes, so that hackers can't generate the hashes
themselves.

Denis
http://www.UnmaskParasites.com

truffula

unread,
Nov 20, 2008, 1:46:40 PM11/20/08
to stopbadware
I'm not sure i understand this - obviously i'm not really up to speed
on my coding or i wouldn't have got myself into this mess in the first
place!
i don't want to take up too much of your time but could you point me
in the direction of some resources for findng outmore about the
technique you describe.

also - i don't know if this would work, but since all my links are
actually on my site - would a script that checks the referring page
work - if it was not my domaine - the redirect would fail - is this a
good idea or is there some vulnerability to this that the malmongers
could exploit?

thanks!

UseShots

unread,
Nov 21, 2008, 6:01:25 AM11/21/08
to stopbadware
Let me explain.

Let's says you pass the redirect url in a parameter:
http://mysite.com/redirect.php?url=redirectsite.com

When you create this url, you can add a hash (md5 or sha) of the
"redirectsite.com" as a second parameter i.e.
http://mysite.com/redirect.php?url=redirectsite.com&hash=09acbb404b64f1fc04d7ee0584ac4851

Now in redirect.php you should compare the hash of the "url" parameter
with the value of the "hash" parameter and redirect only if they
match.

Now let's say bad guys figured out that you use md5 to generate the
hash parameter. They can easily generate the md5 hash of the url
parameter themselves and bypass your security check.

To make it almost impossible for hackers to generate the the correct
hash parameter, you should add some "salt" the the url before creating
the hash.
I.e. instead of md5(url) you should do md5(salt+url), where "salt" is
some hard to guess string constant.
Now in redirect.php you should compare md5(salt+url) with hash. Now
hackers can't generate valid hash themselves since they don't know the
"salt".

I guess you get the idea.

Denis
http://www.UnmaskParasites.com

SteveW

unread,
Nov 21, 2008, 3:56:22 PM11/21/08
to stopbadware
The hash method Denis suggested can be automated to accommodate the
creation and decoding of a hash value for any URL, if your URL list
changes often.

If the URLs don't change often, there are multiple possible methods:

1) Array method

Make a PHP array containing the complete list of URLs to allow (or
store the list in a disk file where they're easy to maintain).
Compare the incoming query string URL against the list.
If it's not in the list, generate a 403 Forbidden error and quit.

2) Switch method

Use a switch statement.
Create a case for each legal URL.
The default case, for illegal URLs, can generate a 403 Forbidden error
and quit.

3) .htaccess method (provides additional security)

If all the legal URLs are on your site, any URL containing http: //
that isn't followed by your domain name is illegal.
Create a RewriteRule that gives a 403 error for any incoming request
that contains the string http followed by any domain name other than
yours.

This method can also replace the array and switch methods:
modify your RewriteRule (in the RewriteCond's) so that each URL to
allow is allowed, but anything else is rejected with a 403.
> > Denishttp://www.UnmaskParasites.com- Hide quoted text -
>
> - Show quoted text -

truffula

unread,
Nov 23, 2008, 5:57:48 AM11/23/08
to stopbadware
Dear Denis,
Thanks very much for your reply -since the links change daily i think
this is the right solution for me.
off to do some homework now - cheers!
Reply all
Reply to author
Forward
0 new messages